An application security firm, Onapsis Research Labs, discovered a critical SAP bug, CVE-2020-6287, codenamed RECON bug. The bug discovered allows anyone without any technical knowledge to hack business applications. Department of Homeland Security’s CISA has issued alert urging affected organizations to immediately apply patches to address the issue.

Vulnerability:

CVE-2020-6287: It does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising Confidentiality, Integrity and Availability of the system, leading to Missing Authentication Check.

The vulnerability allows a remote unauthenticated attacker to gain unrestricted access to SAP systems without a username or password. The attacker could, therefore, steal personally identifiable information (PII), modify financial details such as bank accounts, create a new SAP privileged user, or shut down the entire system. 

Affected versions:

The bug, which is rated 10.0 on the CVSS score, exists in SAP applications running on top of SAP NetWeaver AS Java 7.3 up to SAP NetWeaver 7.5(7.30, 7.31, 7.40, and 7.50) 

How attackers exploit the vulnerability:

The RECON SAP bug exploits the HTTP interface in which most software products use to communicate with the Internet. The most critical aspect of the SAP bug is the ability of the attacker to create user accounts with maximum privileges and without the need for authentication. Consequently, anybody could hack SAP applications without requiring any technical knowledge or user account.

Additionally, the feature allows the intruder to override all system authorization controls, thus taking over full control of SAP business applications. Such privileges enable the attacker to access the transaction module and data within the system. Attackers could corrupt the data, change transaction details, such as the banking details, or administer purchasing processes.

The critical SAP bug exists in any SAP application running the SAP NetWeaver Java technology stack. It affects the SAP NetWeaver Application Server (AS) Java component LM Configuration Wizard. Most SAP products utilize this component by default, thus making the effects of the SAP bug present on most SAP applications.

“Java-based web applications are among the most common on the internet today, and remain the most vulnerable to high-risk vulnerabilities like remote code execution, SQL injection, cross-site scripting and other vulnerabilities in the OWASP Top 10.”He said the recently exposed vulnerability was particularly concerning because of the widespread use of Java framework in many business applications.

“This vulnerability points to the need already pointed out by NIST (National Institute of Standards and Technologies), for Runtime Application Self-Protection (RASP) – also known as runtime application security, to help protect web applications because Web Application Firewalls and other perimeter defenses have been failing to defend against exploitation of such zero-day vulnerabilities in production.”

“ERP systems are the ‘keys to the kingdom’ for organizations. They can control orders, billing, inventory, and many other core business processes. Critical security issues in these systems expose organizations to devastating consequences should they be exploited by cybercriminals.

Attackers could leverage this SAP vulnerability to bypass security controls to create themselves an SAP user account with the highest privileges in the system. Such a malicious user could disable checks and balances to place fraudulent orders or bills that could significantly disrupt business operations.”

The attacker could also completely shut down the system, perform unrestricted actions through OS command execution, or delete or modify traces, logs, and other files to cover their tracks. These low-level privileges originate from the ability of the hackers to exploit the SAP service user account, which can perform application maintenance tasks, according to the Cyber security and Infrastructure Security Agency (CISA) of the Department of Homeland Security.[1]

The researchers said they had not witnessed the exploitation of SAP bug in the wild. However, the risk posed by the SAP bug was severe because it requires no technical knowledge or SAP account, thus making it extremely easy for anyone to exploit.

Recommendations:

It is recommended to consider the following best practices:

• An update released by SAP must be installed in every system which would help users patch there from recently discovered SAP bug.
• The patch provided by SAP in note 2934135 should be implemented immediately which deals with multiple vulnerabilities in the Lifecycle Management Configuration Wizard of the JAVA application server.
• It is recommended to the organizations to prioritize patching internet-facing systems, and then internal systems.  Because most internet-facing applications are at an elevated risk, and disabling online accessibility could be the most effective defensive action to take immediately.
• If the patch cannot be applied, the recommended solution is to disable the LM configuration. (Drives efficiency by automatically discovering, storing, and monitoring changes to device configurations.)

[1] https://www.cpomagazine.com/cyber-security/recently-discovered-sap-bug-allows-anybody-without-technical-knowledge-to-hack-business-applications/